Title:

Kind
Code:

A1

Abstract:

The present invention provides a method for performing a point doubling operation with only one modular division and no multiply per operation. As a result, the invention reduces the number of mathematical operations needed to perform point doubling operations in elliptic curve computation. An elliptic curve cryptosystem using the present invention can be made to operate more efficiently using the present invention. An elliptic curve crypto-accelerator can be implemented using the present invention to dramatically enhance the performance of the elliptic curve cryptosystem. The invention derives the slope of a curve independently of the y-coordinate. By avoiding the calculation of the y term, one additional multiply is eliminated from each point-doubling operation. Using the invention, n consecutive point doublings can be reduced to n modular divisions and 1 multiply. This avoids the 2n multiplies of prior art approaches.

Inventors:

Chang, Sheueling (Cupertino, CA, US)

Application Number:

09/738571

Publication Date:

09/05/2002

Filing Date:

12/15/2000

Export Citation:

Assignee:

CHANG SHEUELING

Primary Class:

Other Classes:

708/491

International Classes:

View Patent Images:

Related US Applications:

Primary Examiner:

MALZAHN, DAVID H

Attorney, Agent or Firm:

Oracle America, Inc. / Darby (inactive) (Santa Clara, CA, US)

Claims:

1. A method of performing point doublings comprising: generating a first point doubling using an initial point (x, y) comprising generating a current slope value and a current x value; generating a second point doubling comprising generating a new current x value and new current slope value without using a multiplication step.

2. The method of claim 1 wherein said generating said second point doubling comprises generating a new current x value and new current slope value without using a y term.

3. The method of claim 1 wherein said generating said second point doubling comprises storing said current x value as a prior x value and storing said current slope value as a prior slope value; generating a new current x value using said prior slope value; and generating a new current slope value using said new current x value and said prior x value.

4. The method of claim 3 wherein said new current x value is generated by:x _{1}=s ^{2}+s+a where s is said prior slope value.

5. The method of claim 3 wherein said new current slope value is generated by:g =(x+x _{1} )^{2}/x _{1} +(s+ 1) where x is said prior x value and x1 is said current x value.

2. The method of claim 1 wherein said generating said second point doubling comprises generating a new current x value and new current slope value without using a y term.

3. The method of claim 1 wherein said generating said second point doubling comprises storing said current x value as a prior x value and storing said current slope value as a prior slope value; generating a new current x value using said prior slope value; and generating a new current slope value using said new current x value and said prior x value.

4. The method of claim 3 wherein said new current x value is generated by:

5. The method of claim 3 wherein said new current slope value is generated by:

Description:

[0001] 1. Field of the Invention

[0002] The present invention relates to computation of a point doubling operation of elliptic curve point scalar multiplication.

[0003] Portions of the disclosure of this patent document contain material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office file or records, but otherwise reserves all copyright rights whatsoever.

[0004] 2. Background Art

[0005] Computer systems are useful for performing mathematical operations (add, subtract, multiply, divide) on operands. Often the operands are polynomials. A polynomial is a mathematical expression of one or more algebraic terms each of which consists of a constant multiplied by one or more variables raised to a nonnegative integral power (e.g. a+bx+cx^{2}

[0006] One situation that requires the manipulation of polynomials is the encryption and decryption of data in a cryptosystem and digital signatures for verification of the sender. A cryptosystem is a system for sending a message from a sender to a receiver over a medium so that the message is “secure”, that is, so that only the intended receiver can recover the message. A cryptosystem converts a message, referred to as “plaintext” into an encrypted format, known as “ciphertext.” The encryption is accomplished by manipulating or transforming the message using a “cipher key” or keys. The receiver “decrypts” the message, that is, converts it from ciphertext to plaintext, by reversing the manipulation or transformation process using the cipher key or keys. So long as only the sender and receiver have knowledge of the cipher key, such an encrypted transmission is secure.

[0007] A digital signature is a bit-stream generated by a cryptosystem. It is attached to a message such that a receiver of the message can verify with the bit-stream and be assured that the message was indeed originated from the sender it claims to be. A “classical” cryptosystem is a cryptosystem in which the enciphering information can be used to determine the deciphering information. To provide security, a classical cryptosystem requires that the enciphering key be kept secret and provided to users of the system over secure channels. Secure channels, such as secret couriers, secure telephone transmission lines, or the like, are often impractical and expensive.

[0008] A system that eliminates the difficulties of exchanging a secure enciphering key is known as “public key encryption.” By definition, a public key cryptosystem has the property that someone who knows only how to encipher a message cannot use the enciphering key to find the deciphering key without a prohibitively lengthy computation. An enciphering function is chosen so that once an enciphering key is known, the enciphering function is relatively easy to compute. However, the inverse of the encrypting transformation function is difficult, or computationally infeasible, to compute. Such a function is referred to as a “one way function” or as a “trap door function.” In a public key cryptosystem, certain information relating to the keys is public. This information can be, and often is, published or transmitted in a non-secure manner. Also, certain information relating to the keys is private. This information may be distributed over a secure channel to protect its privacy, (or may be created by a local user to ensure privacy). Some of the cryptosystems that have been developed include the RSA system, the Massey-Omura system, and the El Gamal system.

[0009] Another form of public key cryptosystem is referred to as an “elliptic curve” cryptosystem. An elliptic curve cryptosystem is based on points on an elliptic curve E defined over a finite field F. Elliptic curve cryptosystems rely for security on the difficulty in solving the discrete logarithm problem. An advantage of an elliptic curve cryptosystem is there is more flexibility in choosing an elliptic curve than in choosing a finite field. Nevertheless, elliptic curve cryptosystems have not been widely used in computer-based public key exchange systems due to their late discovery and the mathematical complexity involved. Elliptic curve cryptosystems are described in “A Course in Number Theory and Cryptography” (Koblitz, 1987, Springer-Verlag, N.Y.).

[0010] In practice an Elliptic Curve group over Fields F(_{2}_{2}

^{2}^{3}^{2}

[0011] together with a point at infinity, O. The coordinates of the point, x and y, are elements of F(_{2}_{2}_{2}

[0012] The Elliptic Curve Cryptosystem relies upon the difficulty of the Elliptic Curve Discrete Logarithm Problem (ECDLP) to provide its effectiveness as a cryptosystem. Using multiplicative notation, the problem can be described as: given points P and Q in the group, find a number k such that P^{k}

[0013] In an Elliptic Curve Cryptosystem, the large integer k is kept private and is often referred to as the secret key. The point Q together with the base point P are made public and are referred to as the public key. The security of the system, thus, relies upon the difficulty of deriving the secret k, knowing the public points P and Q. The main factor that determines the security strength of such a system is the size of its underlying finite field. In a real cryptographic application, the underlying field is made so large that it is computationally infeasible to determine k in a straight forward way by computing all the multiples of P until Q is found.

[0014] The core of the elliptic curve geometric arithmetic is an operation called scalar multiplication which computes kP by adding together k copies of the point P. The scalar multiplication is performed through a combination of point-doubling and point-addition operations. The point-addition operation adds two distinct points together and the point-doubling operation adds two copies of a point together. To compute, for example, 11 P=(2*(2*(2P)))+2P=P, it would take 3 point-doublings and 2 point-additions.

[0015] Point-doubling and point-addition calculations require special operations when dealing with polynomial operands. Algebraic schemes for accomplishing these operations are illustrated below in Table 1.

TABLE 1 | |

Point addition: R = P + Q | Point Doubling: R = 2P |

S = (y_{P }_{Q}_{P }_{Q} | S = x_{P }_{P }_{P} |

x_{R }^{2 }_{P }_{Q} | x_{R }^{2 } |

y_{R }_{P }_{R}_{R }_{P} | y_{R }_{p}^{2 }_{R} |

If Q = −P, R = P + (−P) = O, | If x_{P } |

infinity | |

[0016] The two equations for S in the table are called the slope-equations. Computation of a slope equation requires one modular polynomial inversion (1/X mod M) where M is an irreducible polynomial and one modular polynomial multiplication (*Y mod M). Because the operands are polynomials, these operations are typically done back-to-back as two separate operations. There exist algorithms and solutions to calculate the modular inversion 1/X mod M and the modular multiplication *Y mod M. After the result of the modular inversion is calculated, the multiplication *Y mod M is performed. Of course, algebraically (1/X*Y) mod M is the same as Y/X mod M. However, there is currently no technique for calculating modular Y/X in one operation when the operands are binary polynomial functions. These two field operations, the inversion and the multiply, are expensive computationally because they require extensive CPU cycles for the manipulation of two large polynomials modular a large irreducible polynomial. Today, it is commonly accepted that a point-doubling and point-addition operation each requires one inversion, two multiplies, a square, and several additions. To date there are techniques to compute modular inversions, and techniques to trade expensive inversions for multiplies by performing the operations in projective coordinates. There have been no efficient hardware oriented techniques suggested to compute a modular division directly which can be used to perform point doubling and point addition operations.

[0017] The present invention provides a method for performing a point doubling operation with only one modular division and no multiply per operation. As a result, the invention reduces the number of mathematical operations needed to perform point doubling operations in elliptic curve computation. An elliptic curve cryptosystem using the present invention can be made to operate more efficiently using the present invention. An elliptic curve crypto-accelerator can be implemented using the present invention to dramatically enhance the performance of the elliptic curve cryptosystem.

[0018] The invention derives the slope of a curve independently of the y-coordinate. By avoiding the calculation of the y term, one additional multiply is eliminated from each point-doubling operation. Using the invention, n consecutive point doublings can be reduced to n modular divisions and 1 multiply. This avoids the 2n multiplies of prior art approaches.

[0019] These and other features, aspects and advantages of the present invention will become better understood with regard to the following description, appended claims and accompanying drawings where:

[0020]

[0021]

[0022]

[0023] The invention is a method for efficient computation of elliptic curve scalar multiplication. In the following description, numerous specific details are set forth to provide a more thorough description of embodiments of the invention. It is apparent, however, to one skilled in the art, that the invention may be practiced without these specific details. In other instances, well known features have not been described in detail so as not to obscure the invention.

[0024] The invention provides a system for performing point doublings with only one division operation and no multiplies per operation. The invention is described in connection with example operations from an elliptic curve cryptosystem.

[0025] Calculating Repeated Point Doublings

[0026] The conventional approach to repeated point-doublings, 2^{n}

Conventional Approach: | ||

P_{1 } | s = x + y/x | |

x_{1 }^{2 } | ||

y_{1 }^{2 }_{1} | ||

P_{2 }_{2}_{2}_{1 }_{1}_{1} | g = x_{1 }_{1}_{1} | |

x_{2 }^{2 } | ||

y_{2 }_{1}^{2 }_{2} | ||

P_{3 }_{2} | r = x_{2 }_{2}_{2} | |

x_{3 }_{3 } | ||

. . . | ||

P_{n }_{n−1 }_{n−1}_{n−1} | w = . . ., | |

x_{n }^{2 } | ||

y_{n }_{n−1}^{2 }_{n} | ||

[0027] It can be seen that both coordinates, x and y, are calculated at each step because the slope, s, in the table above is expressed in terms of the x and y coordinates of a point. The simplicity of this equation enables one to derive 2P with only the knowledge of the coordinates of point P. However, the calculation of the y term requires a multiplication operation.

[0028] The present invention takes advantage of the fact that both points P and P_{1 }_{1}_{1}^{2}_{1 }

_{1}^{2}_{1}_{1}

_{1}^{2}^{2}_{1}_{1}

_{1}^{2}^{2}_{1}_{1}_{1}

_{1}^{2}^{2}_{1}

_{1}^{2}_{1}

[0029] Note that the transition from equation 4 to equation 5 is possible because the equation is a modulo polynomial. Algebraically, (x+x_{1}^{2 }^{2}_{1}_{1}^{2}_{1 }

New Approach: 2^{n } | ||

P_{1 } | s = x + y/x, x_{1 }^{2 } | |

P_{2 }_{1 }_{1}_{1} | g = (x + x_{1}^{2}_{1 } | |

x_{2 }^{2 } | ||

P_{3 }_{2 }_{2}_{2} | r = (x_{2 }_{1}^{2}_{2 } | |

x_{3 }^{2 } | ||

. . . | ||

P_{n−1 }_{n−1}_{n−1} | q = . . . | |

P_{n = 2P}_{n−1 }_{n−1}_{n−1} | w = (x_{n−1 }_{n−2}^{2}_{n−1 } | |

x_{n }^{2 } | ||

y_{n }_{n−1}^{2 }_{n} | ||

[0030] As shown in the table above, the slope g for point P_{2 }_{1 }_{1 }

Conventional approach | New approach | |

2^{44 }_{1} | 88 multiplies + 44 inverts | 1 multiplies + 44 inverts |

2^{66 }_{2} | 132 multiplies + 66 inverts | 1 multiplies + 66 inverts |

2^{49 } | 98 multiplies + 49 inverts | 1 multiplies + 49 inverts |

Total multiplies | 318 | 3 |

[0031] The multiplies are subsumed into other operations in various forms. In the case of the slope calculation, the slope is transformed into a different form in order to eliminate the y-coordinate. The new equation introduces a square operation into the system, which is non-trivial but negligible compared to the cost of a multiply.

[0032] An example of the efficiency gain is demonstrated by applying the invention to a scalar multiplication example. For example, assume Q=kP. Assume the scalar k is a 160-bit large integer:

[0033] The invention first breaks up the binary bit-string of the scalar k into two kinds of windows, nonzero-windows and the zero-windows:

[0034] The scalar multiplication can be decomposed into multiple iterations of repeated point-doublings and point-additions:

[0035] A table look-up is an effective technique for eliminating point-additions. Using a small 4-bit look-up table, one can potentially eliminate up to 75% of the point-additions in the system. The size of a zero-window can be as large as it needs to be. The size of a nonzero-window is limited by the size of the look-up table used in the system. The points, 7P, 5P, and 1 3P can be fetched directly from a look-up table.

[0036] As can be seen from the table below, the calculation of 2^{49 }^{44 }_{1}^{66 }_{2 }

Conventional approach | New approach | |

159 point-doublings | 318 multiplies + | 3 multiplies + 159 divides |

159 inverts | ||

3 point-additions | 6 multiplies + | 3 multiplies + 3 divides |

3 inverts | ||

Total | 324 multiplies + | 6 multiplies + 162 divides |

162 inverts | ||

[0037] Operation of the Invention

[0038] _{0}_{0 }

[0039] At decision block _{0}_{1}_{1 }_{0 }_{1}

[0040]

[0041] Computer Environment

[0042] An embodiment of the invention can be implemented as computer software in the form of computer readable code executed in a general purpose computing environment such as environment

[0043] Computer

[0044] Network link

[0045] Processor

[0046] Computer

[0047] As with processor

[0048] The mass storage

[0049] In one embodiment of the invention, the processor

[0050] Computer

[0051] Application code may be embodied in any form of computer program product. A computer program product comprises a medium configured to store or transport computer readable code, or in which computer readable code may be embedded. Some examples of computer program products are CD-ROM disks, ROM cards, floppy disks, magnetic tapes, computer hard drives, servers on a network, and carrier waves.

[0052] The computer systems described above are for purposes of example only. An embodiment of the invention may be implemented in any type of computer system or programming or processing environment.

[0053] Thus, a method for efficient computation of elliptic curve point scalar multiplication has been described.